Breach of npm threatens billions of weekly downloads in JavaScript ecosystem

Alfonso Maruccia

Posts: 2,584   +972
Staff
What the Script: Supply chain attacks are traditionally designed to inflict maximum damage on structured organizations or companies. However, when such an attack compromises a supply chain that an entire software ecosystem depends on, the consequences can be truly unprecedented.

Earlier this week, the Npm package manager suffered what may be its worst security incident to date. Unknown cybercriminals managed to compromise the account of Josh "Qix" Junon, one of the core maintainers of the Npm project. As a result, several of the most critical packages in the JavaScript ecosystem were infected with a backdoor designed to steal user and developer cryptocurrency in bulk.

Security researchers quickly identified the backdoored packages and issued warnings about the ecosystem-wide security risk. Junon confirmed that his account had been "pwned" after receiving an email prompting him to reset his two-factor authentication credentials. The message appeared convincing, he explained, because it came from a domain styled as support.npmjs.help.

However, that domain had been registered only days earlier as part of a phishing attempt to mimic the official service. Junon noted that "only" Npm appeared to be affected, describing his week as "stressful." Npm, acquired by GitHub in 2020, remains a critical platform for managing and distributing JavaScript projects.

Security analysts have confirmed that the compromised packages are downloaded two to three billion times per week. The injected malicious code is designed to infect web browsers and monitor cryptocurrency transactions. When such transactions are detected, the backdoor swaps the intended destination wallets with addresses controlled by the attackers.

According to researchers, the malware hooks into critical JavaScript functions, allowing it to intercept and manipulate internet traffic from infected systems. The targeted packages were apparently chosen to maximize their impact across the JavaScript ecosystem. They form part of foundational projects and have thousands of dependent third-party libraries.

A successful attack against Npm alone is serious enough, but the broader trend in open-source security is even more concerning. Earlier this month, a massive supply chain campaign known as GhostAction targeted hundreds of GitHub users across more than 800 repositories. Hackers reportedly stole 3,325 "secrets," including authentication tokens for key services such as Npm, PyPI, and Docker Hub.

Permalink to story:

 
OMG 😂 this is why our communications infrastructure, whether it be phone, sms, mms, email, web based inside a browser, app or piece of software - needs to be made redundant and rebuilt with a primary objective in mind = SECURITY!

Fu#$ any spy authority, police organization or corporation that wants access. The idea is to create stable, secure, robust and impenetrable methods of communications to reduce the chances of small breaches creating big problems.
 
Followed the link to see the list of packages:
supports-hyperlinks
chalk-template
simple-swizzle
slice-ansi
error-ex
is-arrayish
wrap-ansi
backslash
color-string
color-convert
color
color-name
 
OMG 😂 this is why our communications infrastructure, whether it be phone, sms, mms, email, web based inside a browser, app or piece of software - needs to be made redundant and rebuilt with a primary objective in mind = SECURITY!

Fu#$ any spy authority, police organization or corporation that wants access. The idea is to create stable, secure, robust and impenetrable methods of communications to reduce the chances of small breaches creating big problems.
One of the developers' accounts was compromised because he fell to a phishing campaign. So your comment is kinda irrelevant in this case.
 
One of the developers' accounts was compromised because he fell to a phishing campaign. So your comment is kinda irrelevant in this case.

That's exactly my point! If a developer oversees or is in control of something large enough and is compromised in such a simple fashion. Well... look at the damage that could do!?
 
That's exactly my point! If a developer oversees or is in control of something large enough and is compromised in such a simple fashion. Well... look at the damage that could do!?
None of the points you made would address that. Code review might've though, and that's a human process. It has nothing to do with rebuilding systems, making systems redundant, or denying backdoors like you suggested. Code review is also how this issue was caught, but it obviously wasn't required in their devops workflow prior to the code being published. That'd require two people being phished in order for something like this to happen.
 
Back